SQLMAP is a free professional-grade software that takes a lot of the sweat out of exploiting SQL Injection vulnerabilities. It is not for the faint of heart because (a) expertise in this tool puts you in the company of some of the most ill-intentioned people on the web and (b) relatedly, the misuse of the tool could land you on the wrong side of the law.

Nonetheless, it is my recommendation that you learn its basics because it can be useful - especially to make a point about how important addressing SQL Injection vulnerabilities can be. Let’s run through an example of how SQLMAP is useful to me.

Example of how SQLMAP can be useful

Let’s say you have a production-grade application like this one here. (this one in particular is built using Oracle APEX, a technology suite known for its security features). As part of your routine security hygiene you run APEX Advisor, which lets you know that have *1* security risk, namely an ‘Inappropriate use of Substitution Syntax’:

This query is based off a real-life example of code that I’ve recently encountered at a client. It’s not the worst SQL Injection vulnerability I’ve seen, it’s middle-of-the-road. In this example, the client is clearly trying to build a dynamic WHERE clause but in doing so the client has exposed itself to security vulnerability.
So APEX Advisor is telling us it’s a problem but how do we prioritize the issue. How to make the vulnerability less abstract and more real?

Enter SQLMAP

Sqlmap is free to use and trivial to install.

On my mac, I can install using homebrew by typing

~$ brew install sqlmap

Get banner info

Let’s kick things off by challenging SQLMAP to extract the database banner information

(Optional) I'm choosing to give SQLMAP a little help here by letting it know that it's an Oracle DB. SLQMAP is perfectly capable of figuring out by itself though.

-p

(Optional) Short for Parameter - let's SQLMAP know which paramater carries the vulnerability.

-b

Short for Banner. Here is where I ask SQLMAP to look for the banner info.

--flush-session

(Optional) SQLMAP is very efficient at building on the information it keeps in stored sessions. You can tell it to start from scratch like so.

Output

SLQMAP cycles through the 5 SQL Injection strategies it has at its disposal:

1. Blind

2. Time-based

3. Error-based

4. Union query based

5. Stacked queries

It successfully identified the vulnerability of the P7_WHERE_CLAUSE_LS that apex_advisor identified and prints out the successful strategies it used.
And prints out the requested banner info - ‘ORACLE DATABASE 12C’

Now that SQLMAP has its hooks in this vulnerability, we can up the ante and collect some more interesting information. Let’s identify how much of the database we can see by asking it to print out a full list of owners and tables.

I'm telling SQLMAP to look for columns called 'table_name' and 'owner'.

--dump

I'm instructing SQLMAP to print out the contents of the table that it finds

--batch

This options says 'Accept all the default options' to spare me from having to answer SQLMAP's questions.

--stop=32

This option says 'Stop after 32 tables'.

Output

This query allows me to identify how much of the database I have access to. In the video, I iteratively ask SQLMAP to pull back an increasingly large number of table names until one of the tables looks interesting.

Dump contents of a table

From the output of the previous exercise, I found a 'USER_TABLE' in the HAYDEN schema that sounds interesting.

Thus concludes a demo of how important it is to address ‘Inappropriate Use of Substitution Syntax’ warnings. A single vulnerability can be exploited to extract some completely unrelated and potentially very sensitive data from your database.

How to secure this vulnerability

SQL Injection vulnerabilities come in a great diversity of forms. This one in particular is harder to solve than most because P7_WHERE_CLAUSE_LS's very purpose is to dynamically assemble a seemingly unbounded possibility of filtering options against the query. No doubt there are many possible solutions - here's one: